-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-22:06.libalias                                       Errata Notice
                                                          The FreeBSD Project

Topic:          Incorrect fragmented IPv4 packet handling in libalias

Category:       core
Module:         libalias
Announced:      2022-01-11
Affects:        All supported versions of FreeBSD.
Corrected:      2022-01-09 22:04:56 UTC (stable/13, 13.0-STABLE)
                2022-01-11 18:15:02 UTC (releng/13.0, 13.0-RELEASE-p6)
                2022-01-09 23:06:52 UTC (stable/12, 12.3-STABLE)
                2022-01-11 18:19:32 UTC (releng/12.3, 12.3-RELEASE-p1)

Note: This errata notice does not update FreeBSD 12.2.  FreeBSD 12.2
users affected by this update should upgrade to FreeBSD 12.3.

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

The libalias(3) library is a collection of functions for aliasing and
dealiasing of IPv4 packets, intended for masquerading and network
address translation (NAT).  Additionally, libalias(3) includes modules
to support protocols that require additional logic to support address
translation.

libalias(3) is used by several FreeBSD networking components: ng_nat(4),
ipfw(4) and natd(8).

II.  Problem Description

The patch committed for SA-20:12.libalias introduced additional
validation of TCP, UDP and ICMP protocol headers.  This validation
failed to take into account the possibility of IP packet fragmentation,
and could cause libalias(3) to return the PKT_ALIAS_IGNORED status code
for the first fragment of a packet, rather than applying aliasing rules.

III. Impact

Depending on the configuration of the consumer, this bug may cause
fragmented packets to be dropped, or may cause further processing of
fragments without aliasing rules applied.  For example, if the
NG_NAT_DENY_INCOMING flag is set on an ng_nat(4) node, fragments will be
unconditionally dropped.  Similarly, if the "deny_in" flag is set for an
ipfw(4) NAT rule, fragments will be unconditionally dropped.

IV.  Workaround

No workaround is available.  Only systems using NAT via ng_nat(4),
ipfw(4) NAT rules, or natd(8) are affected.  Systems leveraging pf(4) or
ipf(4) to perform NAT are not affected.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 13.0]
# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.13.patch
# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.13.patch.asc
# gpg --verify libalias.13.patch.asc

[FreeBSD 12.3]
# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.12.patch
# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.12.patch.asc
# gpg --verify libalias.12.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/13/                              ec746e619578    stable/13-n248913
releng/13.0/                            4378aee9f82f  releng/13.0-n244772
stable/12/                                                        r371477
releng/12.3/                                                      r371486
- -------------------------------------------------------------------------

For FreeBSD 13 and later:

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

For FreeBSD 12 and earlier:

Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258970>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:06.libalias.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f4ACgkQ05eS9J6n
5cLW2xAAjuMj68hzBt5aSxuRliu4wT+NdXMq/M5VWH9kHSZw2HrMfQuDY25ecwWE
VAkeQoIAV/+Uz8OrVKBBqlTgxZyFxmM8a2pNBURPSeY508o7X5h8HMHECaUndqMJ
dXfa2YgpUm36RQZfaKCGbBCIXUj4V+fmSFkoq87U0EXexrCim6m5tzMoBsWV7Eob
KWbZObwR2PrvYSoHvdbPNWrGF/6CDu/38x9TBxPU+sT3dVa4qJyUD3D/7hhe3Onb
VscwvebHNKZwaxxEJJma4xbUcOXJpOUVA/JRjphkzeX5B1Fgix1N4ae8C3ATXiZT
H9OhB+AU/EtTU5rbcWjEiNckIh/icGV9lkEuqX4AXKmQHeYJEVCctY+IgcZfppzq
MpY1OuDhjObvQtyuBv6up0EN/Lv2AAN8sooXIwwy00DX6ISnjtynP81huCpHLRE9
3xntY/y1JHDlNN5tFOBc+z3YNYRo5ha36UXuhi5IQvxGeN5gonW+cK3BUluK3U+Q
9ibXXaHPZ6V1nowksU1A72RGR2B+axYb7KrNzg+20I/rmjl0t2ZBtULMq1WWks/w
nLGY/Wb0uaK7GUiUte8l4ggm0oISGIa0ICCV3OogBeaytsWB0fi2atKJxvMuMvPT
XXj+zrqPw33nMu9mf0ClWQwiXWD8AKi3kFgfi6o9aC5zWd1LlCY=
=qTdA
-----END PGP SIGNATURE-----
